The day an organization is successfully attacked is memorable for most IT professionals. David Shipley has no trouble remembering the date of the one he faced as a Web site administrator at the University of New Brunswick.
“Mother’s Day 2012,” he promptly says when asked about the incident. The attackers didn’t get very much, but it led to the start of a four-part holistic overhaul of the university’s IT security, an effort which is half way to completion.
“By the end of this we’ll be much-better positioned to deal with the threats we face,” says Shipley, now director of strategic initiatives for the UNB’s cybersecurity team.
The four prongs include a persistent security awareness campaign for the roughly 14,000 students and staff on two campuses; a data governance program to classify all documents; an overhaul of the network and security architecture and a new IT security policy.
The network overhaul is a multi-year project which started last summer. Recently the university put out an RFI to industry vendors for designing what Shipley calls a “next-generation architecture.” He suspects first product acquisitions of what could be up to a $2 million spend will start this spring after the design is approved.
Meanwhile the security policy, which will covers UNB’s approach to protecting information and information systems and it how will respond to cyber security incidents, is in the final draft stage.
“The purpose of the policy isn’t to cover things we’ve already done, like an acceptable use policy,” he says. “It’s designed to inform managers, supervisors, deans, directors of their role in protecting information and information technology assets in their custody. This has traditionally been a challenge for universities like UNB where we often have decentralized IT, so we want to empower folks, first and foremost, to know they are part of the response the university can put forward to effectively deal with all the threats we see on a daily basis.”
UNB sees more than 50 million attempts a week to breach the network (many automated brute force attacks). Of them those are 300 “notable” incidents a year (defined as a DDoS, compromises of servers, significant malware infections, account compromises, fraud attempts and student cyberbullying, stalking, identity theft).
What UNB wants to avoid, he said, is the what happened to Rutgers University in the U.S., which had to hike tuition fees to pay for a crash multi-million dollar cybersecurity upgrade to deal with crippling DDoS attacks.
“So we’re trying to get ahead of what we see is an increasingly hostile environment,” Shipley says.
The May 13, 2012 attack was its wakeup call. “A hactivist team called Team Digi7al exploited an outdated portion of our public Web site,” he recalled. “They used an SQL injection attack and gathered some non-public but non-sensitive information — budgets and that type of stuff — and published it to Pastebin and Twitter.”
As one of the recipients of a taunting message from the hackers, it was Shipley’s job to spread the alert to the IT department.
(Background: Team Digi7al was led by a U.S. Navy nuclear systems administrator who worked on a U.S. aircraft carrier — you read that right — and a 20 year-old student. The group hacked into and posted details from a number of organizations around the world including the Toronto Police Service and the University of British Columbia. Caught by a sting run by the Naval Criminal Investigation Service (NCIS), the pair were sentenced in 2104 to 24 months in prison.)
When the dust settled Terry Nikkel, the university’s CIO and associate vice-president of information technology services, decided things had to change to keep up with ever-increasing threats.
“As we matured we realized that cyber security is a pan-organization function, and so that’s where a couple of initiatives that go far beyond IT are crucial parts of our new strategy,” Shipley said.
One is giving tools to department managers to inventory and categorize data, and create data retention policies. An organization can’t protect data it isn’t aware of, he points out. And educating users of the dangers of data hoarding is also important “because the easiest data to protect is the data you no longer keep around.”
The cyber-awareness campaign uses a variety to tools — posters on campus, social media, YouTube videos, management briefings are among them. With financing from the university’s risk management department, a one year licence for the online PhishMe training service has been taken out to give staff and students a vehicle for learning what to look for.
Started last October as part of security awareness month, it has continued. “The intent is to have it as a persistent campaign,” says Shipley. “This is a constant communications effort, and I think its an area that’s often overlooked because cybersecurity is often the responsibility of the IT department.”
It’s important because a study showed that as much as 20 per cent of endpoints in a six month period can have “fairly significant infections.”
The new network and security architecture will have several components to overcome that, including network segmentation, a network access control platform and an integrated malware response system tied to UNB’s IBM QRadar security information and event management platform. That will require vendors who can promise tools that work together. The first is Trend Micro’s Deep Discovery anti-virus platform. The SIEM will be the core of what he calls a “digital immune system” that shares threat intelligence from devices and can take defensive action.
“We estimate that the average device cleanup takes about three hours of staff time,” Shipley says. “When you’re dealing with 1,400 infections a year that cost adds up really quickly.”
He stresses that the university is taking a holistic approach, not looking for a silver bullet. That will improve the institution’s risk profile “because IT Security isn’t the problem. Systems, in and of themselves aren’t the issue. The issue is the combination of systems and humans, which is why I’m a proponent of a cybersecurity focus over an information security or information technology security focus.
“For me, the value of the four-pronged approach to cybersecurity is that it places 75 per cent of the emphasis on the key problem: People (information security policy, roles etc. and data governance, cybersecurity awareness and behaviour change) and gives the technology (25 per cent) the conditions required to succeed.”